[PATCH] update-ids-ruleset: Run as unprivileged user.

Stefan Schantl stefan.schantl at ipfire.org
Wed Jun 5 17:27:10 BST 2019


Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl at ipfire.org>
---
 src/scripts/update-ids-ruleset | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
index 956c3a1f5..dbe5b6849 100644
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -20,11 +20,25 @@
 ###############################################################################
 
 use strict;
+use POSIX;
 
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/ids-functions.pl";
 require "${General::swroot}/lang.pl";
 
+# The user and group name as which this script should be run.
+my $run_as = 'nobody';
+
+# Get user and group id of the user.
+my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
+
+# Check if the script currently runs as root.
+if ( $> == 0 ) {
+	# Drop privileges and switch to the specified user and group.
+	POSIX::setgid( $gid );
+	POSIX::setuid( $uid );
+}
+
 # Check if the red device is active.
 unless (-e "${General::swroot}/red/active") {
 	# Store notice in the syslog.
-- 
2.20.1



More information about the Development mailing list